SHARE
TWEET

Unknown

James_inthe_box Dec 19th, 2018 333 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Unknown Botnet Checkin"; flow:established,to_server; content:"POST"; http_method; content:"BCDEF="; http_client_body; content:"&MNOPQ="; http_client_body; content:"&GHIJ="; http_client_body; content:"&UVWXYZ="; http_client_body; content:"&st="; http_client_body; content:"Content-type|3a 20|application/x-www-form-urlencoded"; http_header; classtype:trojan-activity; sid:20166276; rev:1; metadata:created_at 2018_12_19;)
  2.  
  3. rule unknown_bot
  4. {
  5.     meta:
  6.         description = "Unknown bot"
  7.         author = " James_inthe_box"
  8.         reference = ""
  9.         date = "2018/12"
  10.         maltype = "Bot"
  11.  
  12.     strings:
  13.         $string1 = "bqqmjdbujpo0y.xxx.gpsn.vsmfodpefe"
  14.         $string2 = "BCDEF=%s&MNOPQ=%s&GHIJ=%s&UVWXYZ=%s&st=%d"
  15.         $string3 = "%s %s %s"
  16.         $string4 = "Content-length: %d"
  17.         $string5 = "DFCB="
  18.         $string6 = "ID=%s"
  19.  
  20.     condition:
  21.         all of ($string*)
  22. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top